DRAFT – FOR DISCUSSION PURPOSES ONLY

DESIGNING AND IMPLEMENTING A WORLD CLASS RISK AND CONTROLS MONITORING FUNCTION

Presented to New York IIA-ISACA NY Metro Chapters – October 26, 2012

Ray Purcell (Pfizer) and David Hodgson (Deloitte & Touche LLP)

- 2 - CONFIDENTIAL

The world’s premier

biopharmaceutical

company.

We make medicines and

vaccines that help people and

animals when they are sick and

prevent them from getting sick in

the first place.

- 3 - CONFIDENTIAL

Pfizer Today

manufacturing sites worldwide

revenue in 2011

$67 BILLION

89 150 countries

in which Pfizer sells products

#1 Primary Care, Specialty Care

and Animal Health businesses worldwide

100,000 colleagues

around the globe

MORE THAN

- 4 - CONFIDENTIAL

First Line Quality •At the Source

•Continuous Assessment

•Quality Control

•Transaction Processing

Risk Identification/Monitoring •Pan-Pfizer Strategic Link for Risk

•Monitoring & Escalation

•Identification of Trends and Opportunities

Corp. Oversight Corporate Audit

•Independent

•Risk-based

•Pan-Pfizer

Governance •Board

•ELT

•FLT

3

2

1

4 “Level 3” activities are performed

independently and periodically by

Pfizer Corporate Audit. One Audit

initiative focused on improving the

efficiency and effectiveness of “Level

3” activities.

“Level 2” activities are ongoing

risk, compliance and control

monitoring activities.

Examples:

•Monitoring key metrics (e.g., # of

account reconciliations

performed)

•Identifying trends across

markets/plants

“Level 1” activities are part

of the day to day business

operations. Finance One

has been impacting and

addressing “Level 1”

activities via process-

focused workshops and

recommendations over the

past several months.

Examples:

• Performing account

reconciliations

• Documenting results

Governance Model: The Four Lines of Defense

- 5 - CONFIDENTIAL

GRCC Project Overview and Anticipated Benefits

GRCC

Project

Overview

Improve the effectiveness of oversight and monitoring of internal controls and regulatory

compliance activities across Pfizer through:

1. Establishing a Compliance Center of Excellence (CoE) to enable consistency of

interpretation and execution of regulatory compliance activities and to provide clarity of

ownership

2. A redesign of Level 2 monitoring for in scope activities to enable a proactive risk based

approach and monitoring of key risk areas. Scope would include:

a. Centralized top level risk assessment

b. Monitoring of the following in scope activities:

a. FCPA / Healthcare compliance

b. Internal Controls over Financial Reporting (SOX)

GRCC

Anticipated

Benefits

Benefits

Enhanced accountability, consistency and transparency related to compliance activities

Greater alignment of market compliance and control efforts with Pfizer’s overall risk assessment

Reduced burden on the business through centralized approach to strategy and planning,

deployment of consistent methodologies, and streamlining of processes / sharing of leading

practices across markets

Reduced risk exposure due to greater transparency into risks, issues and trends across the

business on a continuous basis (enhanced enterprise-wide view)

Enhanced accountability and clear path for risk and issue escalation

- 6 - CONFIDENTIAL

GRCC Model Development Approach

GRCC Functional Model

Enabling Technology

Organization / Market

Redesign and

Optimization / Change

and Communications

Deep Dives

Baseline Data

Site Visits

Inputs

GRCC Methodology /

CQ Approach /

Reporting

Defined GRCC Activities for ICOFR/SOX, FCPA/GPIHP/GV

Industry Experience

GRCC Operating Model

Current State

Assessment

Workforce Plan Communications & Training Plan Implementation Roadmap

Implementation Strategy

Risk Adjusted View of

Locations (IA Risk

Assessment)

FCPA/HCC

• Governance &

Oversight

• Policies &

Procedures

• Risk

Identification &

Assessment

• Risk &

Compliance

Management

• Monitoring

• Reporting &

Escalation

• Communication

& Training

CQ ACTIVITIES

TAXONOMY

ITGC

ICOFR/SOX

Scope

Organizational

Design &

Headcount

Job Descriptions Roles and

Responsibilities

Governance

Framework and

Committees

Governance and

Oversight

GRCC Leader

FCPA/GPIHP/Global

Vet COE

ICOFR/SOX

COE

Compliance

COE

Markets

Management Risk

Committee Controller

BTQ&C Leader

Local

Leadership

Canada/DM

Europe

AfME/EM

Europe

Asia/Latin

America

- 7 - CONFIDENTIAL

Summary of the Key GRCC Roles – Process View

Governance &

Oversight

Develop common definitions, framework and risk appetite

For FCPA and HCC, leverage framework and risk appetite established by Corporate Compliance

Policies &

Standards

Interpret policies, identify key control requirements and drive development of guidance related to

areas in scope

Identify new/changed ICOFR laws and regulations and develop ICOFR related policies

Risk Identification,

Assessment &

Measurement

Design the risk and control self-assessment (“RCSA”) methodology and approach

Lead, coordinate and facilitate the RCSA process and review results

Risk & Compliance

Management

Recommend continuous improvement of controls through automation and streamlining and

oversee remediation of gaps in high risk areas

Provide guidance on the development of action plans related to high risk areas

Risk & Compliance

Monitoring Design effective ongoing monitoring approaches

Perform risk based monitoring (analytics, metrics, select sample testing, etc.)

Risk & Compliance

Reporting &

Escalation

Report key risk, compliance and control information to key stakeholders based on their needs.

Develop escalation protocols and escalate issues up

Process Key GRCC Activities

Communication &

Training Develop overall training plans, review or facilitate development of local training using a risk

based approach

- 8 - CONFIDENTIAL

Updated GRCC Functional Model and Key Functional Responsibilities

GRCC Leader

Compliance

COE

Management Risk Committee

Overs

igh

t S

tra

teg

y

an

d P

lan

nin

g

Imp

lem

enta

tion a

nd M

onitoring

* Detailed deployment strategy for Geography and Market/BU GRCC

resources will be determined during detailed implementation planning

VP/Controller

Americas

Regional

Leader

Europe

Regional

Leader

Asia

Regional

Leader

AfME

Regional

Leader

Healthcare Law

Compliance/

FCPA COE

ICOFR/SOX COE

• Oversight and sets ‘tone at the top’

• Critical issue escalation

• Set mission, goals, and guiding principles for GRCC

• Communicate key activities, trends and results

• Risk-based resource allocation

• Coordination with other risk groups (e.g. Corporate Audit (“CA”),

Compliance)

• Perform monitoring activities at the market level

• Coordinate with market/site/plant level regarding design and

implementation of controls to address risk

• In market point of contact for CA

• Identify emerging or changing risks in the market

• Market/regionally located, business unit agnostic

• Risk based deployment of resources

• Interpret new or changing regulations for the risk area

• Lead the risk assessment process for the risk area

• Determine control requirements based on risk profile

• Determine governance framework and approach for monitoring

• Aggregate monitoring results and generate consolidated reporting

• Focal point of contact to business unit leaders for unique issues

• Deploy methodologies, tools and training to the markets

• Evaluate results of monitoring activities for risks, issues and trends

• Identify emerging or changing risks in the geography

• Communicate with FDs, Controllers, business, CA, etc. (e.g.,

implementation/monitoring, changes in business strategy, etc.)

• Regionally located, business unit agnostic

*Markets/Plants (i.e., Emerging Markets, Developed Markets,

GFS)

**Local

Leadership

**BT Q&C Leader

** Outside of the GRCC Function

- 9 - CONFIDENTIAL

GRCC Governance Framework and Connection with the Business

Management Risk Committee

The Top Down View

Risk and control appetite, risk policies, guidelines, and

framework

Aggregation and Integration

Risk, compliance and control metrics and key trends

Co

rpo

rate

Au

dit

Markets, Plants and Corporate Functions

(e.g. Corporate BT, Finance, GFS, Business Divisions)

GRCC Function

Data Collection

Risk and control metric inputs

Operational View

Practices and procedures, guidance on risk mitigation, facilitation of risk assessment

The goal of the GRCC functional model is to provide a pan-Pfizer approach to managing and monitoring risks in scope.

However, a strong connection to the business and appreciation of the unique nature of the business divisions/units will also

be required for the success of the GRCC function.

Management Risk Committee composition

includes Divisional Finance Leaders and

other key stakeholders

• COE will be organized to provide

divisional representation/ expertise and

act as a focal point of contact to the

business

• GRCC will work in close collaboration

with Controllers, Legal, Compliance and

BT Q&C

Front line ownership and accountability for

risks and controls reside in this group

- 10 - CONFIDENTIAL

Risk and Compliance Monitoring (approximately 50%

depending on market)

– Execute CQ monitoring activities using guidance, tools, and templates

provided by GRCC Leadership including:

• Coordination and execution of market internal control self-

assessment and certifications

• Coordination and execution of SOX 302 and 404 certifications

• Execution of analytical reviews

• Performing walkthroughs of key controls

• Performing sample based reviews in the areas of ICOFR,

FCPA/GPIHP/GV, and T&E to identify control deficiencies

Risk and Compliance Reporting and Escalation (Less than

5%)

– Report results of compliance quality activities using guidance and tools

developed by GRCC Leadership; execute escalation protocols designed

by GRCC Leadership for deficiencies or issues identified as a result of

the execution of compliance quality activities

Training (Less than ~ 5%)

– Facilitate development of periodic training materials related to ICOFR,

FCPA/GPIHP/GV, and T&E including new hires and contractors;

perform periodic training in the market on ICOFR, FCPA/GPIHP/GV,

and T&E

Other Compliance Activities (~ 15%)

– Implement and support business in roll-out of new compliance

requirements and changes in policies and procedures and CoE

Compliance initiatives

Standardization of the CCR Role: In-Scope Processes and Activities

Governance (Less than 1%)

– Provide input on the strategy for financial reporting and FCPA/GPIHP/

GV risk management, compliance quality activities and reporting

Policies and Procedures (Less than 5%)

– Provide in market support, guidance, and consultation to ensure process

and internal control changes are documented in local SOPs; streamline

and harmonize local policies; work with BPOs/Legal to develop and

maintain a central repository for local SOPs; maintain a change

management process for local SOPs

Risk Identification, Measurement and Assessment (Less

than 5%)

– Execute and coordinate annual ICOFR and FCPA/GPIHP risk

assessment; consult on design and maintenance of a standard

methodology by GRCC leadership to identify and prioritize existing and

emerging ICOFR and FCPA/GPIHP/GV risks and controls

Risk and Compliance Management ( ~ 25% to 30%

depending on market)

– Provide local consultation and support with guidance on controls, best

practices; document ICOFR RCMs using guidance provided by GRCC

Leadership and maintain baseline of controls; provide support and

guidance to BPOs in the development, execution, and documentation of

remedial actions for any deficiencies; responsible for preparing annual

FCPA and GPIHP Trend Analysis and certification

Of the activities listed below, we estimate that a majority (upwards of 90%) are currently being performed by RAMs (CCRs) at some

degree, although inconsistent across Pfizer. Additionally, certain compliance activities may be currently performed by other Finance

colleagues (e.g., Trend Analysis) in some markets. Provided below is an approximate percentage of time CCRs would allocate to each

specific process depending the on market.

- 11 - CONFIDENTIAL

What have we learned?

Some things worked well that we thought would be challenging

• Stronger support than expected from our Finance Directors in the field

• The compliance professionals in the field reacted very positively to being part of a global effort

• Both internal and external audit have been very supportive

There were some unexpected challenges

• There is a constant demand for training, and deep dive training that provides detailed guidance

• It is difficult to do this without effective tools / technology

• Balancing the monitoring and advisory roles is always going to be a challenge

Key lessons learned

• Change management matters: having a clear vision, communicating it well and constantly, and

delivering the training needed to enable people to succeed in the new roles are all very important. Plan

to measure and monitor your progress to make sure the change is fully and consistently implemented.

• Connecting the efforts of people across sixty countries requires effective tools and technology.

• Our work can help us to better mitigate risk while also introducing efficiencies through the application of

our specialized skills and knowledge, working in collaboration with our partners in business finance.

As we appraise the project at the end of the first year, it has been a success

Looking ahead, the challenge of Year Two will be to move from a start-up mode to

business-as-usual, from a project mode to one of sustainable and consistent processes.

- 12 - CONFIDENTIAL

Working together for a healthier world